The Hacker News — Cyber Security, Hacking, Technology News

A well-known company popular for buying and selling zero-day vulnerabilities is now offering up to $100,000 for providing a working zero-day exploit for bypassing the Flash Player's Heap Isolation mitigation.

Few months back, Adobe deployed Heap Isolation in Flash version 18.0.0209 with an aim at making the Use-After-Free (UAF) vulnerabilities more difficult for cybercriminals to exploit.

Zerodium is a startup by the infamous French-based company Vupen that Buys and Sells zero-day exploits and vulnerabilities.

What is "Isolated Heap" Mitigation Technique?

The use-after-free vulnerability is a type of memory corruption flaw that can be exploited by Hackers to execute arbitrary code or even allows full remote code execution capabilities.

Isolated Heap mitigation mechanism is designed to solve the usage issue of Use-After-Free (UAF) exploitation.

This Mitigation technique allocates a dedicated heap for selected critical objects to use, which is separate from other heaps that a user can directly access.

Isolated Heap prevents precise control of the data, thus eliminates the hacker's ability to corrupt memory in this way.

Here's The Target to Win $100,000

Today, Zerodium posted a tweet announcing that the company is offering:

$100,000 this month for an exploit that bypasses heap isolation of Flash Player with a sandbox escape.

$65,000 for an exploit that bypasses heap isolation of Flash Player without a sandbox escape.

Now, let’s wait and watch who will win this competition, or I can say that who will be going to sell a new zero-day exploit to the company which is infamous for re-selling them further.

And If you really want to get rid of such nasty zero-day exploits, you are advised to simply disable or completely uninstall Adobe Flash Player immediately. Stay Tuned to our Facebook Page for latest Hacker News stories.

Does Adobe Flash, the standard that animated the early Web, needs to Die?

Unfortunately, Yes.

Despite Adobe’s best efforts, Flash is not safe anymore for Internet security, as a recent zero-day Flash exploit has been identified.

Just Yesterday Adobe released its monthly patch update that addressed a total of 69 critical vulnerabilities in Reader, Acrobat, including 13 critical patches for Flash Player.

Now today, Security researchers have disclosed a new zero-day vulnerability in fully patched versions of Adobe Flash, which is currently being exploited in the wild by a Russian state-sponsored hacking groups, named “Pawn Storm”.

NO Patch For Latest Flash Exploit

That means, even users with an entirely up-to-date installation (versions 19.0.0.185 and 19.0.0.207) of the Flash software are also vulnerable to the latest zero-day exploit.

Luckily, for the time being, this exploit is only being used against Government agencies and several foreign affairs ministries from around the globe.

However, now, when the zero-day vulnerability is publicly known to everyone, hackers could exploit it to target innocent Flash Player users too.

Adobe has been notified of latest discovery and researchers are also working with them to address this flaw.

Readers are advised to disable or completely uninstall Adobe Flash Player immediately.

“OYE Flash! Enough is Enough”, said The Internet

Adobe Flash Player is dead and its time has passed. In January this year, YouTube moved away from Flash for delivering videos.

In between, Flash made an effort to beef up its security in an effort to justify its existence.

However, things got a bit heated when Firefox became aware of a critical security flaw and blocked the Flash plugin entirely.

Facebook’s Security Chief publicly called for Adobe to announce a kill-date for Flash and Google Chrome has also begun blocking auto-playing Flash ads by default.